Function  Conventions  

!  Standard  Entry  Sequence  (cdecl)  "  Save  the  old  base  pointer  "  Set  the  new  stack  base  pointer  "  Allocate  space  for  variables  __function:

push ebp ; 55

mov ebp, esp ; 8BEC

sub esp, x ; Not always present

__function:

enter ; C8

sub esp, x ; Not always present 2

Function  Conventions  

!  Standard  Exit  Sequence  (cdecl)  "  Reload  old  stack  pointer  "  Reload  old  stack  base  "  Deallocate  space  for  variables  

...

mov esp, ebp ; 8BE5

pop ebp ; 5D

ret ; C3 near, CB far

...

leave ; C9

ret ; C3 near, CB far 3

Function  Call  Conventions  

!  cdecl  "  Used  by  GCC  and  GNU  libraries  

!  stdcall  "  Used  by  Win32  API  "  Sometimes  incorrectly  called  “pascal”  

!  fastcall  "  Many  different  implementations  "  Not  standardized  

4

Function  Call  Conventions  

! cdecl"  Parameters  pushed  right  to  left"  EAX,  ECX,  EDX  not  preserved (caller saved)"  Return  values  are  returned  in  EAX!  Floating  point  returns  in  ST0"  Caller  performs  clean-up

! stdcall"  Same  as  cdecl,  except  callee  clean-up

! RET imm  is  a  sign  of  this

! fastcall"  One  or  more  parameters  passed  in  registers"  MS  VC++,  GCC

! First  arg  #  ECX,  second  arg  #  EDX,  remainder  right  #  left on the stack

5

cdecl  Function  Call  Convention  !  Push  Parameters  on  Stack  !  Call  the  Function  !  Save  and  Update  EBP  !  Save  Registers  that  Will  Be  Overwritten  !  Allocate  Local  Variables  !  Execute  Function  !  Release  Local  Storage  

6

cdecl  Function  Call  Convention  !  Restore  Saved  Registers  !  Restore  EBP  !  Return  !  Clean  Up  Parameters  

7

stdcall  Function  Call  Convention  !  Push  Parameters  on  Stack  !  Call  the  Function  !  Save  and  Update  EBP  !  Save  Registers  that  Will  Be  Overwritten  !  Allocate  Local  Variables  !  Execute  Function  !  Release  Local  Storage  

8

stdcall  Function  Call  Convention  !  Restore  Saved  Registers  !  Restore  EBP  !  Clean  Up  Parameters  !  Return  

9

Function  Call  Conventions  

!  Others  "  pascal  

!  Parameters  pushed  left  to  right  !  Windows  3.*  

"  syscall  !  Parameter  size  passed  in  AL  

"  safecall  !  Encapsulated  COM  error  handling  

"  thiscall  !  Either  caller  or  callee  clean-­‐up  

"  …  

10

Control  Statements  

!  If-­‐Else  !  Switch  !  For  !  While  

11

If-­‐Else  Statement  

12

If-­‐Else  Statement  

13

Switch  Statement  

14

Switch  Statement  

15

For  Statement  

16

For  Statement  

17

While  Statement  

18

While  Statement  

19

Determining  Signed-­‐ness  

!  Signed  and  Unsigned  Variables  "  Operations  on  signed/unsigned  variables  use  different  instructions  

"  IMUL/MUL  "  IDIV/DIV  "  Jcc  

20

Determining  Signed-­‐ness  

21

Tools  of  the  Trade  

!  Disassembler  "  Machine  code  to  instructions  

!  Decompiler  "  Instructions  to  code  (often  to  C  code)    

!  Debugger  "  Real-­‐time,  step-­‐thru-­‐code  debugging  

22

Disassemblers  

!  Disassemblers  "  Converts  machine  code  to  instructions  

23

Decompilers  

! Decompilers"  Attempt  to  convert  instructions  or  byte  codes  tohigherc level  languages    

! One way of dealing with architecture-dependentbinary code is to decompile it into somearchitecture-independent IR

24

Debuggers  

!  Debuggers  "  Modes  

!  User-­‐mode  !  Kernel-­‐mode  

"  Common  features  !  Create/attach  to  a  process  !  Set/clear  breakpoint  !  Step  into/over  !  Trace  into/over  

25

Debuggers  

!  Breakpoints  "  Software  breakpoints  

!  INT  3h  (\xCC)  "  Memory  breakpoints  "  Hardware  breakpoints  

!  Intel  Dr0-­‐Dr7  registers  !  Traces  

"  Records  instructions  and  execution  contexts  !  Stepping  

"  Step  into/over  

26

GNU  Debugger  (gdb)  

!  Disassembler,  Debugger  "  Command-­‐line  

!  Insight  is  a  GUI  wrapper  for  gdb  

"  Not  just  for  Linux  !  Native  x86  Windows  support  !  Special  versions  for  various  architectures  

27

GNU  Debugger  (gdb)  Breakpoint  Tutorial  

28

GNU  Debugger  (gdb)  Breakpoint  Tutorial  

29

OllyDbg  

!  Disassembler  !  Debugger  

"  Open  !  Creates  a  process  with  debug  privileges  

"  Attach  !  Attach  to  a  process  already  running  

"  Detach  (version  2.*)  !  Detaches  the  debugger  and  allows  the  process  to  continue  

"  Terminate  !  Kills  the  debuggee  

30

IDA  

!  Disassembler,  Decompiler*,  Debugger  "  Commercial  debugger  

! With  freeware  and  demo  versions  

"  Now  a  Hex-­‐Rays  product  !  Formerly  Datarescue  

"  *Decompilers  sold  seperately  (and  is  expensive)  

54

IDA  

55

IDA  

!  Shortcuts  "  Run  (F9),  step  into  (F7),  step  over  (F8)  "  Set/clear  breakpoint  (F2)  "  Apply  name  to  an  address  (N)  "  Comment  (:),  repeatable  comment  (;)  "  Toggle  graph  view/assembly  view  (space)  "  Jump  to  name/address  (G)  "  Follow  reference  (enter)  "  Display/jump  to  cross-­‐references  (X)  "  Return  to  previous  location  (esc)  

56

IDA  Patching  

!  Patching  "  Edit  “cfg/idagui.cfg”  "  Change  “DISPLAY_PATCH_SUBMENU”  to  “YES”  

57

Hex-­‐Rays  Decompilers  

58

WinDbg by Microsoft  

! Disassembler,  Debugger"  User/kernel-­‐mode  debugger

59

Questions/Comments?  

60